Virtualization Moves Data Center Functionality to the Branch Office

Article

Published: October 2009

The following content may no longer reflect Microsoft’s current
position or infrastructure. This content should be viewed as reference
documentation only, to inform IT business decisions within your own company
or organization.

Do WAN access issues and costs keep you from providing the
datacenter services in branch offices that benefit your corporate users? Learn
how Microsoft IT uses Windows Server 2008 R2 and virtualization to deliver datacenter
functionality to branch offices. Services at the branch office level include
file and print management, offline folder redirection, operating systems and
application distribution, and patch management. This has significantly improved
service availability, lowered management costs, and reduced servers.

Introduction

Microsoft IT (MSIT) leverages Windows Server 2008 R2 and Hyper-V virtualization to
provide core services to their branch offices. Service availability has
improved, management costs have decreased, and the number of dedicated servers
in branch offices has been reduced.

The Centralized Shared Services Model

MSIT uses a centralized shared services model. This means
that IT services are delivered as a global service, designed and run out of the
central services group, which is physically located at the Redmond
headquarters. Local or Field IT support is delivered by regionally distributed
IT managers in branch offices. At the branch office level, this means that one
IT manager may support as many as 17 IT sites over a wide geographic area that
may include different countries.

Branch Office Virtualization Goals

The branch office virtualization vision had three key
goals:

Drive operational efficiencies in Field IT support

Improve the security as well as the manageability of the platform

Provide the flexibility to change as business needs change

The Starting Point—One Box with Six Services

MSIT started with one box running Windows 2003. That one box
had six services that couldn't be served from the central data centers—they had
to remain in the branch office. The six services were: Windows Deployment
Services (WDS); Data Distribution, File, Print, Intellimirror®, and
Systems Management Server (SMS). Having all six services on one box caused security
issues because everyone who worked on those services needed access to those
servers. This resulted in services overlapping and overstepping each other. From
an operational perspective, it was hard to coordinate and difficult to schedule
downtime. Testing new service releases was also a problem because each service
had to be tested with all of the other services intact. All in all, it was a
very confusing model.

The New Platform—Six Services on Four Virtual Machines

"Using the centralized features and automation that
virtualization provides, especially with System Center Virtual Machine
Manager, Microsoft IT was able to reduce travel this fiscal year by 35
percent in North America alone."

For the new Virtual Branch Office Server platform, MSIT uses a Windows
Server 2008 R2 box with the Server Core installation option and running
Microsoft Hyper-V technology. MSIT segregated the six services into four virtual
machines, combining some of the requirements for security and operational
support into the same virtual machines. The four new virtual machines host:

File and Data Distribution services

WDS services

SMS services

Intellimirror and Print services

MSIT opted to keep WDS separate from Data Distribution services
because WDS is participating in First & Best (dogfood) efforts, testing out
new software. As a separate service, WDS can make changes without impacting the
production service. MSIT decided to isolate SMS in a separate virtual machine
for the same reason.

Benefits

Travel

The Microsoft environment is a globally diverse
environment, much like a retail store or bank with a lot of branch offices. But
unlike a retail store or bank, Microsoft doesn't have IT managers at each
location. Using the centralized features and automation that virtualization provides,
especially with System Center Virtual Machine Manager, MSIT was able to reduce
travel this fiscal year by 35 percent in North America alone. With automation, MSIT
doesn't need to send people to the various sites to do configuration changes.

Security

MSIT switched the host server to a Windows Server 2008 R2
box with the Server Core installation option. Server Core is a minimal server
installation option that provides a low-maintenance environment with limited
functionality. It has a smaller footprint and fewer security patches to apply. By
segregating the services into their own virtual machines, MSIT is able to
separate the security models. For example, a HelpDesk technician who is a Print
Server admin doesn't need to be an admin for the File server that might store
confidential or personal information.

Time

Branch office virtualization saves time when deploying
and upgrading services. For example, MSIT is currently engaged in a First &
Best effort for a new feature of Windows Server 2008 R2 called "BranchCache®."
In the past, MSIT would have needed six to nine months to deploy (order, send,
and install the server) that service worldwide. With the new platform, MSIT was
able to do the pilot in a few days. It was so easy, in fact, that MSIT decided
to expand the pilot from two to twelve sites. MSIT originally scheduled three
weeks for the expansion, but they were able to complete it in one week.

Flexibility

With the old platform, which was one OS instance hosting
six services, if MSIT had to make a change to one service, all the services would
go down when the box was rebooted. With segregated services, service managers
have a holistic end-to-end view. If they have an outage or need to take an
outage, they don't have to coordinate with the other services. The Mean Time to
Repair (MTTR) has therefore decreased significantly. Since they're the only
service affected, they can reboot and repair immediately instead of waiting until
Friday night or another scheduled time. This is a big savings and the
operational support and customer experience is greatly enhanced.

"With segregated services, service managers have a
holistic end-to-end view. If they have an outage or need to take an outage,
they don't have to coordinate with the other services. The Mean Time to
Repair (MTTR) has therefore decreased significantly."

Previously, MSIT had an average of about five reboots per month. With
the new platform, the number of reboots has gone down and that directly impacts
the service availability of every other service running on the platform. For
example, if MSIT wants to upgrade the file servers from Windows Server 2008 to Windows
Server 2008 R2, they can put up a new virtual machine in the background, preset
it to the new file server, and then just move the Virtual Hard Disks (VHDs)
from one virtual machine to the other. The user experience for such an upgrade
from one OS to the other is a 15-minute outage instead of two or three hours,
and it can be automated and done remotely instead of having to send someone to
the site.

The Role of BranchCache

BranchCache is a new technology included in Windows Server
2008 R2. BranchCache enables content from file and Web servers on a wide area
network (WAN) to be cached on computers at a local branch office. MSIT piloted BranchCache
in two locations and saw a 58 percent reduction in wide-area-network (WAN) traffic.
It was such a great savings that MSIT decided to expand the pilot to 12 sites
and will use BranchCache for all of the Virtual Branch Office servers. MSIT has
over 80 Virtual Branch Office Service platforms in production today, which is
about 40 percent of their branch environment. The Field IT group added
relevancy to Microsoft's business by participating in this First & Best
effort. They're helping to uncover issues with BranchCache and helping to
determine the optimum settings in a real-world environment.

MSIT designed the Branch Office Virtualization platform
with additional services in mind. With the extra bandwidth that BranchCache
provides, MSIT is able to add those services. For example, in a BranchCache
pilot in Brussels, Belgium, MSIT realized a 78.9 percent savings in Server
Message Block (SMB) traffic. This bandwidth savings provides an opportunity to
add services and there is a demand from the service managers to add these extra
services. They want to be on the Virtual Branch Office Server platform. They
want better control and a better view of their services. Hyper-V virtualization
and BranchCache helps to make this possible.

Branch Office Virtualization Roadmap

Future Services

Possible future branch office services include: read-only
domain controllers, private print servers, services for other operating
systems, content caching, streaming media, and network monitoring. MSIT is
looking at authentication right now. The Active Directory team previously pulled
domain controllers out of the Field for security reasons. For example, they
didn't want a HelpDesk technician to be a domain admin. With their own virtual
machine and a separate security model, they're looking at leveraging the Read
Only Domain Controller feature of Windows Server 2008 to put authentication
back in to the local branch for a better user experience. MSIT is also looking
at locating Source Depot proxy and other tools in branch locations as possible
services to improve the end user experience.

Future Technologies

MSIT has already implemented virtualization at the server
level. They are adding capabilities to the branch office for Microsoft
Application Virtualization (App-V) and Microsoft Enterprise Virtualization (MED-V).
This technology could be very beneficial for Microsoft acquisitions. For
example, several years ago, Microsoft acquired a company of about 3,000
employees and MSIT needed to provide 3,000 new machines. This was a hardware constraint
issue. MSIT wasn't able to quickly acquire enough laptops so the new employees
didn't have machines to work with. With a VDI infrastructure or a virtual
machine farm, the new employees could have used their existing
non-Microsoft-standard machines. They could have been able to get to Microsoft
resources by using a virtual machine in the data center. MSIT could have set
that up in a number of weeks and avoided having to ship thousands of laptops
around the world. Infrastructure is key to service delivery and the Microsoft
Virtual Desktop Infrastructure (VDI), App-V, and MED-V are things that MSIT is
looking at to provide that infrastructure.

Conclusion

MSIT's new Virtualization Branch Office Server platform
has provided savings in a number of areas. MSIT has been able to save on travel
costs and the costs to deploy new services and upgrade existing services. The
new platform is very manageable and flexible, which also results in savings. Segregating
services into separate virtual machines has provided significant improvements
to the security model. BranchCache, a new Windows Server 2008 R2 technology,
plays an important role by helping to free up network bandwidth so additional
services can be provided. The future for virtualization in the branch office is
very bright with the addition of new technologies such as App-V and MED-V.

For more information about Microsoft products or
services, call the Microsoft Sales Information Center at (800) 426-9400. In
Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside
the 50 United States and Canada, please contact your local Microsoft
subsidiary. To access information through the World Wide Web, go to:

This document is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, BranchCache,
Intellimirror, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries. The names of actual companies and products mentioned herein may be
the trademarks of their respective owners. �